ATM_Malware_PloutusI
YARA-2021-0151
Medium
general
Active
https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america
ATM_Malware_PloutusI.yar
Valid Syntax
import "pe"
rule ATM_Malware_PloutusI {
meta:
description = "Detects Ploutus I .NET samples based on MetabaseQ report"
author = "Frank Boldewin (@r3c0nst)"
reference = "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/ATM.Malware.PloutusI.yar"
date = "2021-03-03"
hash1 = "4f6d4c6f97caf888a98a3097b663055b63e605f15ea8f7cc7347283a0b8424c1"
hash2 = "8ca29597152dc79bcf79394e1ae2635b393d844bb0eeef6709d37e6778457b31"
hash3 = "dce1f01c08937fb5c98964a0911de403eed2101a9d46c5eb9899755c40c3765a"
hash4 = "3a1d992277a862640a0835af9dff4b029cfc6c5451e9716f106efaf07702a98c"
description = "https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america"
strings:
$Code = {28 ?? 02 00 06 2a}
condition:
filesize < 300KB and
$Code and
pe.pdb_path contains "Diebold.pdb" and
pe.imports("mscoree.dll", "_CorExeMain") and
(for any i in (0..pe.number_of_resources -1): (
pe.resources[i].type == pe.RESOURCE_TYPE_VERSION and
(pe.version_info["InternalName"] contains "Diebold.exe")))
}
Rule Metadata
description
https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america
author
Frank Boldewin (@r3c0nst)
reference
https://raw.githubusercontent.com/fboldewin/YARA-rules/master/ATM.Malware.PloutusI.yar
date
2021-03-03
hash1
4f6d4c6f97caf888a98a3097b663055b63e605f15ea8f7cc7347283a0b8424c1
hash2
8ca29597152dc79bcf79394e1ae2635b393d844bb0eeef6709d37e6778457b31
hash3
dce1f01c08937fb5c98964a0911de403eed2101a9d46c5eb9899755c40c3765a
hash4
3a1d992277a862640a0835af9dff4b029cfc6c5451e9716f106efaf07702a98c
String Definitions
{"name":"$Code","value":"{28 ?? 02 00 06 2a}"}
Threat Analysis
This YARA rule is designed to detect general threats.
Severity Level: Medium
The rule uses pattern matching to identify specific byte sequences, strings, or behavioral patterns associated with malicious activity.
Detection Capabilities
- File-based detection for executables and documents
- Memory scanning for running processes
- Network traffic analysis support
Command Line Usage
# Scan a single file yara ATM_Malware_PloutusI.yar /path/to/suspicious/file # Scan a directory recursively yara -r ATM_Malware_PloutusI.yar /path/to/directory/ # Scan with metadata output yara -m ATM_Malware_PloutusI.yar target_file # Scan process memory (Linux) yara ATM_Malware_PloutusI.yar /proc/[pid]/exe
Integration Examples
Python (yara-python)
import yara
rules = yara.compile(filepath='ATM_Malware_PloutusI.yar')
matches = rules.match('/path/to/file')
ClamAV Integration
clamscan --yara-rules=ATM_Malware_PloutusI.yar /path/to/scan
Rule Information
YARA ID
YARA-2021-0151
Author
Repository
Created
August 19, 2025
Last Updated
August 19, 2025
Last Imported
Never
Threat Intelligence
Risk Level
Medium
Category
general
Detection Confidence
Analysis Pending
False Positive Rate
Not Available
Last Seen in Wild
No Data
Related Rules
Export Options
Similar Rules in general
YARA-2023-0001
CRI
Detect_Mimic_Ransomware
Detect_Mimic_Ransomware
YARA-2023-0002
MED
SystemBC_malware
Detect_SystemBC
YARA-2023-0003
MED
detect_catB
detect_CatB_ransomware
YARA-2022-0001
MED
detect_Typhon_Stealer
detect_Typhon_Stealer
YARA-2023-0004
MED
Nosu_stealer
Detect_Nosu_stealer
YARA-2022-0002
MED
detect_Lumma_stealer
detect_Lumma_stealer
YARA-2022-0003
MED
detect_StrelaStealer
detect_StrelaStealer
YARA-2022-0004
MED
detect_silence_Downloader
detect_silence_Downloader